Mediatype for SPDX should be application/spdx+json

[lumjjb]

Description

According to IANA registered, the mediatype for spdx JSON documents should be application/spdx+json

Currently, it is set to "text/spdx+json" in

• https://github.com/sigstore/cosign/blob/493e6e29e2ac830aaf05ec210b36d0a5a60c3b32/pkg/types/media.go#L30
• https://github.com/sigstore/cosign/blob/493e6e29e2ac830aaf05ec210b36d0a5a60c3b32/specs/SBOM_SPEC.md?plain=1#L122

Version

head

[viveksahu26]

Yes, media type for spdx is text whereas, the media type for spdx+json is application,

[viveksahu26]

WDYT @haydentherapper ?

[haydentherapper]

Seems correct, just want to avoid any breaking changes on the verification path.

[viveksahu26]

No it will not affect verification. Currently we have 2 way to add SBOM, one is cosign attach sbom(it doesn't sign) and cosign attest --type sbom(it sign sbom). On changing media type will only have to do with attach one not with attest one. And for verification process, the attest has a way for verification but not for attach one.

@haydentherapper , One thing I wanted to ask, basically cosign attach sbom will be depreciated on 22/02/2024, so, will change makes sense or not ?

[haydentherapper]

We don't need to continue to support anything that's been deprecated.

[viveksahu26]

Ok, let's close it.